Configuring LDP Keychain Authentication

Context

To improve LDP session security, Keychain authentication can be configured for a TCP connection over which an LDP session has been established.

Keychain authentication involves a set of passwords and uses a new password when the previous one expires. Keychain authentication is complex to configure and applies to a network requiring high security.

You cannot configure Keychain authentication and MD5 authentication for a neighbor at the same time.

Before configuring LDP Keychain authentication, configure keychain globally. For details about the keychain configuration, see Keychain Configuration in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security.

LDP authentication configurations are prioritized in descending order: for a single peer, for a specified peer group, for all peers. Keychain and MD5 configurations of the same priority are mutually exclusive. Keychain or MD5 authentication can be configured simultaneously for a specified LDP peer, for this LDP peer in a specified peer group, and for all LDP peers. The configuration with a higher priority takes effect. For example, if MD5 authentication is configured for Peer1 and then keychain authentication is configured for all LDP peers, MD5 authentication takes effect on Peer1. Keychain authentication takes effect on other peers.

Configuring LDP Keychain authentication may cause LDP session reestablishment, deletion of the LSP associated with the deleted LDP session, and MPLS service interruption.

Procedure

Run system-view
The system view is displayed.
Run mpls ldp
The MPLS-LDP view is displayed.
Configure LDP keychain authentication.
- Configure LDP keychain authentication for a specified LDP peer.
  
  Run authentication key-chain peer peer-id name keychain-name
  
  LDP keychain is enabled and a keychain name is specified.
  
  By default, LDP keychain authentication is not performed between LDP peers.
- Configure LDP keychain authentication for LDP peers in a specified LDP peer group.
  1. Run authentication key-chain peer-group ip-prefix-name name keychain-name
    
    LDP keychain is enabled and a keychain name is specified for a specified LDP peer group.
    
    An IP prefix list can be specified using ip-prefix-name to define the range of IP addresses in a group. Before using an IP prefix list, ensure that the IP prefix list must have been created.
  2. (Optional) Run authentication exclude peer peer-id
    
    The device is disabled from authenticating a specified LDP peer.
    
    By default, after LDP keychain authentication is enabled for a specified LDP peer group, keychain authentication takes effect on all LDP peers in the group. To disable the device from authenticating a specified LDP peer, perform this step.
- Configure LDP keychain authentication for all LDP peers.
  1. Run authentication key-chain all name keychain-name
    
    LDP keychain is enabled and a keychain name is specified for all LDP peers.
  2. (Optional) Run authentication exclude peer peer-id
    
    The device is disabled from authenticating a specified LDP peer.
    
    By default, after LDP keychain authentication is enabled for all LDP peers, keychain authentication takes effect on all LDP peers. To disable the device from authenticating a specified LDP peer, perform this step.